





From: Jaco Du Plooy [mailto:Jduplooy@irdeto.com] | 
Sent: Mon 6/19/2006 5:26 PM | 
To: Tom Goode é | 
Cc: Joy Jump; Twan van de Ven 

Subject: RE: IIF DRM TF Patent Disclosure - 06/08/06 





Hi Tom, 


Please see message below. | attach here the patent in question, US Patent No. 5799089A1, our original RCBC | 


proposal: System and apparatus for blockwise encryption/decryption of data. It relates to the use of RCBC-mode 
of our proposal. 


What else do | need to do to submit the disclosure in writing, or is this all the information you require? 


Thanks, | 
Jaco 


Name: Jaco du Plooy 

Position: Engineering Manager 
Tel: +1 425.497.2800 ext. 210 
Fax: +1 425.497.2801 

Mobile: +1 425.533.3067 


Irdeto Mobile | 


10/2/2007 














For events or other information visit our website: http://www. irdeto.com 


This e-mail and any attachments are CONFIDENTIAL and intended solely for the use of the individual(s) to whom it is addressed. It 
can contain proprietary confidential information and/or be subject to legal privilege and/or subject to a non-disclosure Agreement. 
Unauthorized use, disclosure or copying is strictly prohibited. If you are not the/an addressee and are in possession of this e-mail, 
please notify us immediately. 


From: Joy Jump [mailto:jjump@atis.org] 

Sent: Friday, June 09, 2006 6:38 AM 

To: Pinder, Howard; Jaco Du Plooy 

Cc: Tom Goode; Wasilewski, Tony; Andre Jacobs; Maria Estefania; Fargano, Michael 
Subject: IIF DRM TF Patent Disclosure - 06/08/06 


Howard and Jaco, 


At the 06/08/06 IIF DRM TF conference call, a patent disclosure notice was made on behalf of your company. 
Scientific Atlanta - US Patent No. 5684876 - MPEG transport scrambling 
irdeto - US Patent No. 5799089A1 - Chaining mode 


We request that any company that makes a disclosure notice during a meeting, submit that disclosure in writing. 
All disclosure notices will be entered into the meeting record for that conference call. 


If you have questions, please contact ATIS Attorney, Tom Goode (tgoode@atis.org) or (202) 434-8830. 


Joy Jump 

ATIS Committee Administrator 
202-434-8840 (office) 
202-302-1724 (mobile) 


10/2/2007 
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{57] ABSTRACT 


A system for encrypting and decrypting digital data whercin 
the data is divided in packets of N blocks X(1) . . . X(N) of 
2” bits. comprises an encryption device and a decryption 
device. The encryption device reverses the sequence of the 
blocks X(1) . . . X(N) before a XOR operation and next an 
encryption operation by means of an encryption algorithm E 
is carried out on each block of a packet. Thereby the 
following encrypted blocks Y(1) . . . ¥(N) are formed: 
YUE [X(NHIV]. Y@=E (X(N-i+-1)+¥G-1)] for i>1 and 
iSSN. The encrypted blocks ¥(1) . . . Y(N) are transferred by 
a sender in reversed sequence Y(N) . . . Y(1) to a receiver. 
The decryption device at the receiver obtains the original 
blocks X(1)... X(N) by carrying out a decryption operation 
by means of a decryption algorithm D and next a XOR 
operation on each block Y(N)... Y() received. Thereby the 
original blocks are obtained as follows: X(i)}=D [Y(N-i+1) 
}+Y(N-i) for i=1. 2.. .. , N-d; XQD [Y(1)}41V. 






12 Claims, 2 Drawing Sheets 
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SYSTEM AND APPARATUS FOR 
BLOCKWISE ENCRYPTION/DECRYPTION 
OF DATA 


BACKGROUND OF THE INVENTION 


The invention relates to a system for encrypting and 
decrypting digital data. 

A known system uses the so-called cipher block chaining 
(CBC) method. Although an encryption of digital data can 
be obtained by this known CBC method, which encryption 
can hardly be decrypted by unauthorized persons. the known 
system has some disadvantages. These disadvantages are 
present in particular in applications in the field of digital 
television, wherein a minor number of senders and a very 
high number of receivers are involved and high processing 
specds are required in view of the large amount of digital 
data to be transmitted. In using the usual CBC method, a 
boffer storage is required in the receiver, in which four block 
lengths of digital data can be stored. Such a large buffer 
storage increases the costs of the receiver which is a major 
disadvantage in systems with a high number of receivers. 
Further, a header with a fixed bit pattern is generally 
provided at the beginning of each packet of digital data. As 


in the known CBC method, the first block is combined with 25 


2 fixed initial vector, this could result in a recognizable bit 
pattern in the encrypted data. Such a recognizable bit pattern 
provides a potential attack for decrypting the encrypted data 
by unauthorized persons. 


SUMMARY OF THE INVENTION 


The invention aims to provide a system of the above- 
mentioned type wherein the disadvantages of the known 
system are obviated in an effective manner and which is 
particularly suitable for application in the field of digital 
television. 

In this manner a system is obtained wherein at the receiver 
side a buffer storage is required of two times the block length 
in bits so that the costs are decreased. By reversing the 
sequence of the blocks, it is further obtained that the initial 
vector is combined with variable data, whereby the hcader 
part of the packet as last block is combined with a variable 
bit pattern, so that it is guaranteed that a fixed pattern cannot 
be found in the encrypted blocks. The method used in the 
system according to the invention can be indicated as 
reverse cipher block chaining or RCBC method. 


BRIEF DESCRIPTION OF THE DRAWINGS 


The invention will be further explained by reference to the 
drawings in which an embodiment of the system of the 
invention is schematically shown. 

FIG. 1 schematically shows the RCBC method used in the 
system of the invention. 

FIG. 2 schematically shows the operation of the encrypt- 
ing device of the invention by means of a block diagram. 

FIG. 3 schematically shows the operation of the decryp- 
tion device of the invention by means of a block diagram. 


DETAILED DESCRIPTION OF THE 
PREFERRED EMBODIMENTS 


Referring to FIG. 1 there is very schematically shown an 
embodiment of the encryption and decryption method used 
in the system of the invention. In the embodiment shown it 
is assumed that packets of data are divided in four blocks A. 
B,C and D each having a length of 64 bits. At the sender side 


2 
the sequence of the blocks A-D is reversed in an encryption 
device not further shown, so that the blocks D. C. B and A 
are encrypted successively in time. In the first encryption 
step block D is subjected to an exclusive— or operation or 


5 XOR operation indicated by the symbol +. In the first step. 


the XOR operation is carried out with an initial vector IV 
also having a length of 64 bits. As shown in FIG. 1. a data 
block D* is obtained in this manner. which is thereafter 
subjected to an encryption operation by means of an encryp- 


10 tion algorithm E which will be further explained hereafter. 


Thereby the encrypted data or cypher text block D' is finally 
obtained. 

In the second step, the data block C and the encrypted data 
block D' are subjected to a XOR operation providing an 


15 encoded data block C* which is thereafter encrypted by 


means of the encryption algorithm E into an encrypted data 
block C’. In the next steps the encrypted data blocks B' and 
A’ are obtained in a corresponding manner. 

Before transferring the data, the sequence is again 


20 reversed, so that the encrypted data blocks A’. B'. C and D' 


are successively transferred, 

At the receiver side. the received encrypted data block A‘ 
is subjected in the first step to a decryption operation by 
means of a decryption algorithm D. so that the encoded data 
block A* is obtained. This encoded data block A* is there- 
after subjected to a XOR operation with the second 
encrypted data block B' received by now, so that the original 
data block or plain text block A is obtained. 


30 As schematically shown. the next original data blocks B 


and C are obtained in a corresponding manner, whereafter 
the last data block D is obtained by a XOR operation of the 
encoded data block D* and the initial vector IV. 

In a more general way it can be stated that the following 


35 operation is carried out at the sender side. 


The digital data is divided into packets of N blocks X(1). 
X(2)... X(N). wherein each block has 2” bits. The sequence 
of the blocks is reversed before the encryption operation into 
X(N). X(N-1) . . . X(1). This sequence of blocks is 


40 encrypted by the encryption algorithm E in the following 


manner: 
YORE X(N) 
NORE [X(N-i+})+V(-1)) for 1 and GEN. 


The sequence of these encrypted blocks is again reversed, 
so that the sequence YN). ¥Y(N-1) . . . ¥(1) is transferred to 
the receiver. 

At the receiver side the original data blocks are obtained 


50 by means of the decryption algorithm D as follows: 


XDD [Y(N-#YHY(N-D) for 1, 2 » »  , N-1 
X(NED IHY 


The RCBC method described shows the significant 
advantage that a buffer storage at the receiver is required for 
storing two data blocks only. Compared to known systems 
the required storage at the receiver is halved. This is 
obtained at the expense of a larger storage at the sender. as 


60 the sequence of the data blocks within each packet has to be 


reversed at the sender. Thereby the system of the invention 
is suitable in particular for applications in systems wherein 
only one or some senders are provided and a large number 
of receivers, as for example in digital television broadcast 


65 systems, Further. the system described shows the advantage 


that during encryption the initial vector is combined with a 
variable data block whereas the last encrypted data block 
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3 
generally comprising a header with a fixed pattern is thereby 
combined with a variable encrypted data block. Thereby it is 
avoided that a fixed pattern caused by the header part of each 
packet could be recognized in the encrypted data. 

Finally. the system of the invention has the advantage that 
the pipeline delay at the receiver side. i.e. the delay time 
until a first decrypted data block appears, is restricted to one 
block length in time, whereas this pipeline delay is three 
block lengths in time for the known CBC method. 

The encryption algorithm E and the decryption algorithm 
D used in the system of the invention will be further 
explained hereafter by reference to FIGS. 2 and 3. 

As shown in FIG. 2, the encryption device comprises a 
shift register 8 having eight memory elements 0-7 each 
having 8 bits. It is also possible to have a different number 
of bits for cach memory element. A XOR clement is pro- 
vided between the memory elements 2 and 3, 5 and 6, 0 and 
7, respectively, said XOR element being indicated by + and 
having a XOR gate for each bit. When an output or input is 
mentioned hereinafter, actually a number of output or input 
lines corresponding with the number of bits of the memory 
elements is indicated. The output of memory clement 0 of 
the shift register 8 is connected to the XOR clements: 
Preceding the memory elements 2 and 7. The output of 
memory element 7 is connected to a XOR element 10 to 
which a cycling key register 11 is also connected, 

This key register 11 also comprises eight memory ele- 
ments 0-7 each having 8 bits. A key of 64 bits is stored in 
this key register. The output of XOR element 10 is connected 
to a look-up table 12 of 256 elements cach having 8 bits, 
which look-up table is also referred to as substitution 
module or S-box, The output of the S-box 12 is applied to 
the XOR element ahead of memory clement 7 of the shift 
Tegister 8 and after going through a permutation element 13 
to the XOR element between memory elements 5 and 6 of 
the shift register 8. 

The cycling key register 11 is synchronously stepped with 
the shift register 8. In order to encrypt a data block. the data 
block is loaded into the shift register, whereafter the data is 
shifted one memory element to the right after cach step, 
wherein the contents of the memory element 0 is shifted to 
the memory element 7. After eight steps the data block is 
shifted onc round and the key in the key register 11 is 
advanced one step as indicated schematically by a dashed 
line 14. Thereafter the encryption process is repeated six 
times. The shifting of the key in the key register 11 is shown 
in a table in FIG. 2, wherein cach cycle of eight steps is 
indicated by R1, R2 . . . R7. Of course it is also possible to 
Tepeat the encryption process a higher or lower number of 
times, 

In contrast to known encryption algorithms, like the DES 
algorithm, a single relatively large S-box is used in the 
described encryption device instead of a plurality of small 
S-box elements. The use of one large S-box shows the 
advantage that a very strong non-linearity is introduced in 
one step. The byte of memory element 7 is directly com- 
bined with a byte of the key and the operation provided by 
the S-box provides a strong non-linearity introduced in 
memory element 7 and after permutation through the per- 
mutation element 13 in memory element 5. As the byte is 
modified in a non-linear manner at the output of the S-box 
12 and is introduced into the shift register 8 at two locations. 
a rapid diffusion of this non-linearity is obtained. Thereby a 
better encryption is obtained then would be possible by 
means of a plurality of small S-box elements. The use of the 
XOR element between the memory elements 2 and 3 of the 
shift register 8 shows the advantage that the number of 
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4 
possible keys at a certain bit length of the key is doubled as 
compared to the known DES algorithm because there is no 
connection anymore between the complement of a data 
block with the complement of the key and the complement 
of the encrypted data block. 

As shown in FIG. 3. decryption is obtained by the 
reversed operation, 

It is noted that the described RCBC method of the 
invention can also be applied in such a manner that the 
sequence of the blocks of each packet is not reversed before 
the encryption. In this case the blocks will be received at the 
receiver in reversed sequence X(N), X(N-11... X(1). In 
this case the blocks can be reversed at the receiver, 

The invention is not restricted to the above-described 
embodiment which can be varied in a number of ways within 
the scope of the invention. 

We claim: 

1. A system for encrypting and decrypting digital data, 
wherein the data is divided into packets of N blocks 
(X(1) . . . X(N)) of 2” bits. said system comprising: 

an encryption device having encryption means for per- 

forming a XOR operation (+) and then an encryption 
operation by means of an encryption algorithm (E) on 
each block of a packet, wherein encrypted blocks 
CY(1) . . . YQN)) are obtained according to 


YORE XH] 
YORE [X(N-141)+YG-1)] for >1 and iSN, 


where IV is an initial vector. and wherein said encryption 
means reverses the sequence of the blocks (X(1) . . . X(N)) 
before carrying out the encryption and XOR operations, and 
wherein said encryption device includes means for reversing 
the encrypted blocks (Y(1) . . . Y(N)) before transferring the 
encrypted blocks (Y(1)... Y(N)); and 
a decryption device having means for performing a 
decryption algorithm (D) and then the XOR operation 
on cach encrypted block (Y(1) .. . YON), wherein the 
original blocks (X(1) .. . X(N)) are obtained according 
to 


XRD [YN-i+1)}YCN-1) for 1, 2.. . , N-1 
X(NED [KY 


2. The system according to claim 1, wherein for carrying 
out the decryption algorithm the decryption device com- 
prises a shift register with eight memory elements (0. 
1... . 7) each having 2* bits and a key register with eight 
memory elements (0, I... , 7) of 2* bits, said registers being 
controlled synchronously for shifting data in parallel in a 
direction of memory element (0) to memory element (7). 
wherein the output of memory clement (7) is coupled to 
memory clement (0), and wherein the output of memory 
element (6) of the shift register and the output of memory 
element (7) of the key register are subjected to a XOR 
operation and the output of the XOR operation is processed 
by a look-up table with 256 elements each having 2“ bits and 
the output obtained is applied to a XOR operation at the 
output of memory element (5) at the input of memory 
element (0), respectively. 

3. The system according to claim 2. wherein the output of 
the look-up table is subjected to a permutation before the 
XOR operation ahead of the output of memory element (5). 

4. The system according to claim 2, wherein the third 
memory element (3) receives as an input a XOR operation 
of the output of memory elements (2 and 7). 
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5. The system according to claim 2, wherein the original 
data loaded into the shift register is processed in eight steps. 
whereafter the key in the key register is advanced by one 
memory element. whereafter processing in eight steps is 
repeated a number of times before the decrypted data is 
retrieved from the shift register. 

6. The system according to claim 1, wherein for carrying 
out the encryption algorithm (E) the encryption device 
comprises a shift register with eight memory elements (0. 
1... . 7) each having 2* bits and a key register with eight 
memory elements (0. 1, . . . 7) of 2* bits, said registers being 
controlled synchronously for shifting data in parallel in a 
direction of memory clement (7) to memory element (0). 
wherein the output of memory element (0) is coupled to 
memory element (7), and wherein the output of memory 
element (7) of the shift register and the output of memory 
element (0) of the key register are subjected to a XOR 
operation and the output of the XOR operation is processed 
by a look-up table with 256 elements each having 2* bits and 
the output obtained is applied to a XOR operation at the 
input of memory element (5) and together with the output of 
the memory element (0) at the input of the memory element 
(7). respectively. 

7. The system according to claim 6, wherein the output of 
the look-up table is subjected to a permutation before the 
XOR operation ahead of the input of memory element (5). 

8. The system according to claim 6. wherein the second 
memory element (2) receives as input a XOR operation of 
the output of memory elements (0 and 3). 

9. The system according to claim 6, wherein the original 
data loaded into the shift register is processed in cight steps. 
whereafter the key in the key register is advanced by one 
memory element, whereafter processing in eight steps is 
repeated a number of times before the encrypted data is 
retrieved from the shift register. 

10. An encryption device for a system for encrypting and 
decrypting digital data, wherein the data is divided into 
packets of N blocks (X(1) . . . X(N)) of 2” bits, the 
encryption device having encryption means for performing 
a XOR operation (+) and then an encryption operation by 
means of an encryption algorithm (E) on cach block of a 
packet, wherein encrypted blocks (Y(1) . . . Y(N)) are 
obtained according to 


YE [X(NHV] 
YE [X(N-4+1)+1(i-1)) for i>] and iSN, 


6 
where IV is an initial vector. and wherein said encryption 
means reverses the sequence of the blocks (X(1).. . 
X(N)) before carrying out the encryption and XOR 


operations. 

5 IL A decryption device for a system for encrypting and 
decrypting digital data, wherein the data is divided into 
packets of N blocks (X(1)... X(N)) of 2” bits and encrypted 
into packets of N blocks (Y(1) . . . Y(N)). the decryption 
device having means for performing a decryption algorithm 

10 (D) and then a XOR operation (+) on each encrypted block 
(¥()... YQN)). wherein the original blocks (X(1) . . . X(N)) 
are obtained according to 


KED [YN HYN) for 1, 2... N-41 
X(NED [YV 


where IV is an initial vector, 
12. A method for encrypting and decrypting digital data. 
wherein the data is divided into packets of N blocks 
20 (X(1) . . . X(N)) of 2” bits. said system comprising: 
reversing the blocks (X(1) .. . X(N)) of a packet; 
encrypting the blocks (X(1) . . . X(N)). the step of 
encrypting including performing a XOR operation (+) 
25 and then an encryption operation by means of an 
encryption algorithm (E) on each block of a packet. 
wherein encrypted blocks (Y(1) ... Y(N)) are obtained 
according to 


YORE [X(N] 
YORE [XWV-141)+¥(F-1)] for i>] and iN, 


where IV is an initial vector, 
35 reversing the encrypted blocks (Y(1) .. . YN): 
transfering the encrypted blocks (¥(1) . . . Y(N)) to a 
receiver; and 
decrypting the encrypted blocks (Y(1)... Y(N). the step 
of decrypting including performing a decryption algo- 


“40 rithm (D) and then the XOR operation on each 


encrypted block (Y(1) . . . Y(N)). wherein the original 
blocks (X(1) . . . X(N)) are obtained according to 
XRD [X(N-i41)]4Y(N-i) for i=l, 2... „ N-1 


s XIND [YA)HIY 





